System and method for automatically hiding sensitive information obtainable from a process table
The present invention provides a system and method for automatically hiding sensitive information, obtainable from a process table, from other processes that should not access the sensitive information. The system and method include a sensitive command attribute table that is used by a system administrator to designate the commands and command attributes that will typically be associated with sensitive information. The sensitive command attribute table is used when a command is entered that requests information from the process table to be displayed or output. In response, a search of the process table entries is made to determine if a command and/or its attribute in the process table matches an entry in the sensitive command attribute table. If so, the command, its attributes, and/or its attribute values are blanked from the output of the process table information.
Latest IBM Patents:
1. Technical Field
The present invention is generally directed to an improved data processing system and method. More specifically, the present invention is directed to a system and method for automatically hiding sensitive information that may be obtainable from a process table.
2. Description of Related Art
The process table is a table containing all of the information that must be saved when a processor switches from running one process to another in a multitasking computer system. The information in the process table allows the suspended process to be restarted at a later time as if it had never been stopped. Every process has an entry in the process table. These entries are known as control blocks and contain the process state, memory state and resource state for the corresponding process. The process state is the information needed so that the process can be loaded into memory and run, such as the program counter, the stack pointer, and the values of registers. The memory state is the details of the memory allocation, such as pointers to the various memory areas used by the program. The resource state is the information regarding the status of files being used by the process, such as a user ID file and a password file. Other parameters of the process may be stored in the process control block as necessary. An example of a process table is shown in
In many operating systems, commands are provided for gaining access to the process table. For example, the “ps” command in the Linux, Unix and AIX operating systems allows information from the process table to be displayed for every process running on the computing system. In some situations, such commands may allow an unauthorized user to gain access to sensitive information that is stored in association with a process in the process table.
For example, when a user enters a command in a command line of the operating system, the command initiates a process which causes a process table entry to be created. This command may include sensitive information, such as a user identifier and password, credit card information, security key information, and the like. For example, the command “>dbaddcmd -a ADD -u genty -p user_pwd” adds a user whose user name is “genty” and whose password is “user_pwd” to an authorized user file in a local database.
As shown in
There are basically two known solutions to this problem, neither of which provide an optimum solution. A first solution is to not allow a command line argument on a particular command. In this case, the user must execute the command and the command waits for standard input. The user then enters the input, which may be the sensitive information. Since the input is not a process, the input from the user is not recorded in the process control block for the command in the process table. An example of this solution is shown below:
-
- >passwd genty
- Changing passwords for “genty”:
- “genty”'s Old password:
Thus, in the above example, the command that would be entered into the process table is “passwd genty” and the actual password that is entered by the user at the prompt “Old password:” would not be displayed in the process table. The drawback of this solution is that users want to put script wrappers that automate the process around the command. That is, in order to automate the changing of a plurality of user passwords, a script wrapper may be placed on the command “passwd”. However, in the above case where user input to a prompt is required, the script wrapper will not function appropriately. That is, the automation is negated by the need for user prompted input.
A second solution to the problem of sensitive information being accessible via the process table is to empty out the arguments of the command code that deals with sensitive information. For example, in the example command provided above, the sixth argument is associated with a password. Thus, the logic that handles the commands entered via the command line may receive the command, initiate a corresponding process and generate a corresponding process control block in the process table. Thereafter, the password may be copied to a variable and then the password argument may be set to null so that other processes cannot see it via the process table. The drawback of this solution is that there is a window of time between the creation of the process control block and the execution of the process that nulls the password argument. If an automated mechanism is used to continuously enter the “ps -ef” command, it is possible that the “ps -ef” may capture the process control block prior to the argument being nulled.
Thus, it would be beneficial to have an improved mechanism for securing sensitive information from being accessed via the process table. More specifically, it would be beneficial to have a system and method that maintains the security of sensitive information while permitting script wrappers to be used and eliminating windows of time when the sensitive information may be accessible via the process table.
SUMMARY OF THE INVENTIONThe present invention provides a system and method for automatically hiding sensitive information, obtainable from a process table, from other processes that should not access the sensitive information. The system and method include a sensitive command attribute table that is used by a system administrator to designate the commands and command attributes that will typically be associated with sensitive information. The sensitive command attribute table is loaded into memory at system initialization time and is used when a command is entered that requests information from the process table to be displayed or output.
When a command is entered that displays or otherwise outputs information from the process table, the command handling code, e.g., the system call, retrieves the process control blocks of the process table and compares the commands and/or their attributes in the process table with the entries in the sensitive command attribute table. If a command and/or its attribute in the process table matches an entry in the sensitive command attribute table, then the command, its attributes, and/or its attribute values are blanked from the output of the process table information.
In a further embodiment of the present invention, the sensitive command attribute table includes, in the entries of the table, a field for designating the database locations where the attribute values corresponding to the command are stored and a field for designating the encryption type/format of the identified database. In this further embodiment, when there is a matching command or attribute, the value associated with the matching command or attribute may be converted to a proper format using the identified encryption type/format and then used to search the database identified in the database location field. If the value is present in any database listed in the sensitive command attribute table, then the value may be blanked from any output of the process table information. If the value is not present in the database, it is determined that the information is not sensitive and is permitted to be included in the process table information output.
In yet another embodiment of the present invention, the sensitive command attribute table includes a column designating the sensitive command and one or more additional columns for designating sensitive command attributes associated with the command. When using this sensitive command attribute table, a determination is made as to whether any of the process table entries have commands that match a command in the command column of the sensitive command attribute table. If so, any attribute value and/or the attribute name itself, corresponding to the command attribute columns associated with the matching command column entry are blanked in the process table information output.
The various embodiments of the present invention summarized above provide mechanisms that maintain the security of sensitive information stored in the process table while permitting script wrappers on commands. In addition, the present invention eliminates the window of opportunity that exists in solutions where the sensitive information in the process table is blanked by a separate process. These and other features and advantages of the present invention will be described in, or will become apparent to those of ordinary skill in the art in view of, the following detailed description of the preferred embodiments.
The novel features believed characteristic of the invention are set forth in the appended claims. The invention itself, however, as well as a preferred mode of use, further objectives and advantages thereof, will best be understood by reference to the following detailed description of an illustrative embodiment when read in conjunction with the accompanying drawings, wherein:
The present invention provides mechanisms for ensuring the security of sensitive information in the process table of a data processing system. Therefore, in order to provide a context of a typical device in which the present invention may be implemented,
Referring to
Peripheral component interconnect (PCI) bus bridge 214 connected to I/O bus 212 provides an interface to PCI local bus 216. A number of modems may be connected to PCI local bus 216. Typical PCI bus implementations will support four PCI expansion slots or add-in connectors. Communications links to client computing devices may be provided through modem 218 and network adapter 220 connected to PCI local bus 216 through add-in connectors.
Additional PCI bus bridges 222 and 224 provide interfaces for additional PCI local buses 226 and 228, from which additional modems or network adapters may be supported. In this manner, data processing system 200 allows connections to multiple network computers. A memory-mapped graphics adapter 230 and hard disk 232 may also be connected to I/O bus 212 as depicted, either directly or indirectly.
Those of ordinary skill in the art will appreciate that the hardware depicted in
The data processing system depicted in
An operating system runs on processor 302 and is used to coordinate and provide control of various components within data processing system 300 in
Those of ordinary skill in the art will appreciate that the hardware in
As another example, data processing system 300 may be a stand-alone system configured to be bootable without relying on some type of network communication interfaces As a further example, data processing system 300 may be a personal digital assistant (PDA) device, which is configured with ROM and/or flash ROM in order to provide non-volatile memory for storing operating system files and/or user-generated data.
The depicted example in
The present invention provides a system and method for automatically hiding sensitive information, obtainable from a process table, from other processes that should not access the sensitive information. The system and method include a sensitive command attribute table that is used by a system administrator to designate the commands and command attributes that will typically be associated with sensitive information. The sensitive command attribute table is loaded into memory at system initialization time and is used when a command is entered that requests information from the process table to be displayed or output.
As shown in
With the present invention, when such a command is entered via the command line interface 510, the command handling code in the operating system 520, e.g., the operating system call, retrieves the process control blocks of the process table 530 and the sensitive command attribute table 540 which has been pre-established by the system administrator and loaded at system initialization. The operating system then compares the commands and/or their attributes that are in the process table 530 entries with the entries in the sensitive command attribute table 540.
For example, taking the example process table 100 in
If a command and/or its attribute in the process table 530 matches an entry in the sensitive command attribute table 540, then the command, its attributes, and/or its attribute values may be blanked from the output 560 of the process table information.
In a further embodiment of the present invention, the entries of the sensitive command attribute table 540, as illustrated in the example shown in
Thus, returning to
Thus, the present invention provides-mechanisms that maintain the security of sensitive information stored in the process table while permitting script wrappers on commands. In addition, the present invention eliminates the window of opportunity that exists in solutions where the sensitive information in the process table is blanked by a separate process. These advantages are obtained because the present invention does not require a modification to the commands being entered and does not require a modification to the data stored in the process table. To the contrary, the present invention provides a mechanism that merely blocks certain sensitive information stored in the process table from being output by another process.
In yet another embodiment of the present invention, the sensitive command attribute table includes a column designating the sensitive command and one or more additional columns for designating sensitive command attributes associated with the command.
When using this sensitive command attribute table 600, a determination is made as to whether any of the process table entries have commands that match a command in the command column 610 of the sensitive command attribute table 600. If so, any attribute value and/or the attribute name itself, corresponding to the command attribute column 620 associated with the matching command column 610 entry are blanked in the process table information output, e.g., process table information output 560 in
It should be appreciated that while the present invention has been described in terms of the process status command “ps -ef” being entered as the command that instigates retrieval of the process table information, the present invention is not limited to this particular command line command. To the contrary, any command that may access the information stored in the process table and attempt to output that process table information for viewing or perceiving of an unauthorized user may be used with the present invention. In addition, flags other than “-ef” may be used, such as -m and -o which cause the process table information that is display to be kernel threads, without departing from the spirit and scope of the present invention.
Accordingly, blocks of the flowchart illustration support combinations of means for performing the specified functions, combinations of steps for performing the specified functions and program instruction means for performing the specified functions. It will also be understood that each block of the flowchart illustration, and combinations of blocks in the flowchart illustration, can be implemented by special purpose hardware-based computer systems which perform the specified functions or steps, or by combinations of special purpose hardware and computer instructions.
As shown in
A determination is made as to whether there is a match between the current process table entry commands/attributes and an entry in the sensitive command attribute table (step 750). If so, a search of the database(s) designated in the sensitive command attribute table entry that was matched is performed (step 760). The search attempts to find the attribute value(s) associated with the current process table entry in the designated database(s).
A determination is made as to whether there is a matching entry in the designated database(s) for the attribute value(s) of the current process table entry (step 770). If so, the attribute value is blanked from the process table information output (step 780). Thereafter, or if the result of steps 750 or 770 is a “no match” result, the operation continues to step 790 where a determination is made as to whether the current process table entry is the last process table entry. If it is the last process table entry, the process table information is output with sensitive information identified by the present process being blanked out (step 800). If the process table entry is not the last process table entry, the operation goes to the next process table entry-(step 795) and returns to step 740.
Thus, the present invention provides a mechanism for ensuring the security of sensitive information that may be included in the process table of a data processing system. The present invention provides a mechanism for blanking or removing this sensitive information from any output of the process table. In this way, unauthorized processes may not retrieve sensitive information that they do not need and thus, unauthorized users cannot gain access to the sensitive information that may be stored in the process table.
It is important to note that while the present invention has been described in the context of a fully functioning data processing system, those of ordinary skill in the art will appreciate that the processes of the present invention are capable of being distributed in the form of a computer readable medium of instructions and a variety of forms and that the present invention applies equally regardless of the particular type of signal bearing media actually used to carry out the distribution. Examples of computer readable media include recordable-type media, such as a floppy disk, a hard disk drive, a RAM, CD-ROMs, DVD-ROMs. The computer readable media may take the form of coded formats that are decoded for actual use in a particular data processing system.
The description of the present invention has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art. The embodiment was chosen and described in order to best explain the principles of the invention, the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.
Claims
1. A method in a data processing system for removing sensitive information from an output of process table information, comprising:
- obtaining the process table information;
- obtaining sensitive command attribute table information, wherein the sensitive command attribute table identifies commands associated with sensitive information;
- comparing entries in the process table information to entries in the sensitive command attribute table information; and
- removing, from the output of the process table information, sensitive information associated with entries in the process table information that match one or more entries in the sensitive command attribute table.
2. The method of claim 1, wherein obtaining process table information, obtaining sensitive command attribute table information, comparing entries, and removing sensitive information are performed in response to receiving a command requesting output of the process table information.
3. The method of claim 1, wherein the sensitive command attribute table includes information identifying attributes of commands that are associated with sensitive information.
4. The method of claim 3, wherein the sensitive information is a password.
5. The method of claim 3, wherein the sensitive command attribute table includes information identifying a type of encryption used by a database in which attribute values associated with a command attribute are located.
6. The method of claim 1, further comprising:
- performing a lookup of an attribute value associated with an entry in the process table information that matches an entry in the sensitive command attribute table, in a database identified by the sensitive command attribute table; and
- determining if the attribute value is present in the database, wherein removing sensitive information from the output of the process table information is performed in response to a determination that the attribute value is present in the database.
7. The method of claim 6, wherein the sensitive information is not removed from the output of the process table information if the attribute value is not present in the database.
8. The method of claim 1, wherein the sensitive command attribute table has a first column identifying a sensitive command and a second column identifying command attributes, associated with the sensitive command, whose attribute values are to be removed from the output of the process table information if an entry in the process table information includes the sensitive command.
- http://www.totse.com/en/hack/hack—attack/164400.html.
- One-way Web Hacking, Kelly Lum, Mar. 4, 2004.
- Improving the security of a dynamic look-up table based chaotic cryptosystem; Di Xiao; Xiaofeng Liao; Kwok-Wo Wong; Circuits and Systems II: Express Briefs, IEEE Transactions on [see also Circuits and Systems II: Analog and Digital Signal Processing, IEEE Transactions on] vol. 53, Issue 6, Jun. 2006 pp. 502-506.
- Look-up Table Based Chaotic Encryption of Audio Files Ganesan, K.; Muthukumar, R.; Murali, K.; Circuits and Systems, 2006. APCCAS 2006. IEEE Asia Pacific Conference on Dec. 4-7, 2006 pp. 1951-1954.
- A prefix space partitioning approach to scalable peer gateway discovery in secure virtual private networks Doshi, B.; Military Communications Conference, 2005. MILCOM 2005. IEEE Oct. 17-20, 2005 pp. 2735-2741 vol. 5.
Type: Grant
Filed: May 6, 2004
Date of Patent: May 27, 2008
Patent Publication Number: 20050257053
Assignee: International Business Machines Corporation (Armonk, NY)
Inventors: Denise Marie Genty (Austin, TX), Shawn Patrick Mullen (Buda, TX), James Stanley Tesauro (Austin, TX)
Primary Examiner: David Y Jung
Attorney: Duke W. Yee
Application Number: 10/840,558
International Classification: G06F 17/30 (20060101);